Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.5) - Resolving Conflicts and Synchronizing Zones [Cisco DDoS Multidevice Management System]

Table Of Contents

Resolving Conflicts and Synchronizing Zones

Resolving MDM Database Conflicts

Synchronizing Zone Configuration Information

Displaying or Modifying the Automatic Synchronization Parameters

Excluding Zone Policies and Remote Guard Lists From Zone Synchronization

Initiating Synchronization Manually

Resolving Conflicts and Synchronizing Zones

This chapter describes how to use the Cisco DDoS MultiDevice Manager (MDM) to resolve zone configuration conflicts and to synchronize zone configuration information on the zone devices.

The MDM maintains a local database that cross-references the devices that you define on the MDM device list with all of the zone configurations contained on each of the devices. A zone configuration conflict occurs when the zones associated with a device in the MDM database do not match the zones configured on the device. For example, the MDM would indicate that a conflict exists if you were to add a device to the MDM device list that you had previously configured with a zone using the device's CLI. To resolve this conflict, you would allow the MDM to update its database to show the association between the zone and the device.

Synchronization is the process in which the MDM updates the zone devices with the zone configuration information that resides on the zone master device. Synchronization allows you to create or modify a zone configuration once on the master device and then update the other zone devices with the new information. You can manually initiate synchronization, or you can configure the MDM to perform the process automatically.

Note This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device.

This chapter contains the following sections:

•Resolving MDM Database Conflicts

•Synchronizing Zone Configuration Information

Resolving MDM Database Conflicts

To help manage the devices that you define on the MDM device list, the MDM maintains a database that shows the relationship between each device on the device list and the zones configured on each device. (The database contains the zone name only, not the complete zone configuration.) The MDM considers it a conflict when it detects any inconsistencies between the information in its database and the zones configured on a device.

Conflicts can occur for the following reasons:

•A zone exists on a device but is not associated with the device in the MDM database. This situation could occur for the following reasons:

–The device contained zone configurations prior to you adding the device to the MDM device list.

–After adding the device to the MDM device list, you create a zone directly on the device using the device's CLI or Web-Based Manager (WBM).

•A zone is associated with a device in the MDM database, but the zone is not defined on the device. This conflict could occur if you were to delete the zone from the device using the device's CLI or WBM.

The MDM does not automatically check for conflicts in the network. You must click the Conflict Resolution option from the Network Summary menu to enable the MDM to search the network for conflicts.

Figure 4-1 provides an example of the information that the Conflicts Resolution screen displays and the options available for resolving any conflicts. This example shows only two of the four types of conflict tables that may display in this screen. The MDM displays a table only when a conflict exists that matches the conflict table type.

Figure 4-1 Sample Conflict Resolution Screen

To view all existing conflicts and resolve a conflict, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

•From the navigation pane, click Network Summary.

•From the information area located in the upper right hand corner, click Home.

Step 2 From the Network Summary menu, choose Diagnostics > Conflict Resolution. The Conflicts Resolution screen appears, displaying all current conflicts. Depending on the conflicts that exist at the time, the MDM displays as many as four different types of conflict tables. Each table type is described in Step 3.

Step 3 Resolve the desired conflicts using the options available with each of the conflict types:

•Exits on Unassociated Devices—This conflict table displays when the MDM finds a zone on the indicated device (x), but the MDM database does not contain the zone, which means that the database cannot show an association between the zone and device.

Click one of the following conflict resolution options for the MDM to perform:

–Associate—Adds the zone name to its database and associates it with the indicated devices (x). The zone name displays in the navigation pane's zone list.

–Remove—Deletes the zone from the device database.

–Rename & Create—Leaves the existing zone on the MDM alone, but creates a copy of the zone under a new name, which you specify in a new window. The MDM adds the new zone name to its database and associates it with the indicated devices (x). The zone name displays in the navigation pane's zone list.

•Missing from Devices—This conflict table displays when a zone exists in the MDM database, which shows an association between the zone and the indicated device (x); however, the zone does not exist on the indicated device. In this type of conflict, the zone either exists on the zone master device (minimum) or is missing from all of the zone devices, including the master device.

Click one of the following conflict resolution options for the MDM to perform:

–Add—Adds the zone to the device by initiating synchronization, in which the zone information residing on the zone master device is copied to the other zone devices.

–Disassociate—Removes the zone-to-device association in its database.

–Delete—Deletes the zone from its database. Delete is the only option available when the zone is missing from all of the zone devices, including the master device.

•Missing from Master—This conflict table displays when a zone exists in the MDM database, which shows an association between the zone and the indicated device (x); however, the zone does not exist on the indicated devices. In this case, one zone is the zone master device. However, the zone does exist on at least one of the other zone devices.

Click one of the following conflict resolution options for the MDM to perform:

–Select Master—Allows you to choose another device (one with the zone information residing on it), as the master device. The MDM then initiates synchronization which enables the zone information that resides on the new zone master device to be copied to the other zone devices.

–Restore—Copies the zone information from a zone device that you choose as the master device.

•Multiple Inconsistency—This conflict table displays when a conflict exists that is a hybrid of the first two bulleted items (Exists on Unassociated Device and Missing from Devices).

Click one of the following conflict resolution options for the MDM to perform:

–Match Devices—Modifies the database to match the zone information on the devices.

–Match MDM—Modifies the zone information on the devices to match the database.

–Merge—Accepts all inconsistencies by updating its database with missing device association information and updating all of the devices with missing zone information.

Synchronizing Zone Configuration Information

Synchronization allows zone configuration information to be propagated from the master device to the other devices that you have associated with the zone configuration. This operation allows you to perform the following tasks:

•Create a zone once on the master device and copy the zone configuration to the other zone devices.

•Perform a full synchronization update of the zone devices, copying the entire zone configuration from the master device to each of the zone devices.

•Perform a partial synchronization update of the zone devices, choosing to exclude the configured policies and/or the remote Guard list (Detector only) defined on the zone master device.

•Resolve zone configuration conflicts between devices.

During synchronization, the zone information that resides on the master device overwrites all of the existing configuration information that resides on the other zone devices unless you choose a partial synchronization to exclude zone policies and/or the remote Guard lists. The MDM allows you to initiate synchronization manually or you can configure the MDM to automatically initiate synchronization based on the occurrence of an event, such as when you accept the results of a learning phase on the master device.

Synchronization between the master device and the zone devices occurs only when all of the zone devices are inactive. When the zones are active and you modify the zone configuration, the MDM uses the immediate distribution operation (not synchronization) to distribute just the modified information to each of the devices. This behavior is different from when the devices are in the inactive state, where the changes are downloaded to the master device and the configuration (entire or partial) is synchronized with the zone devices after a defined period of time has elapsed. See the "Managing Zone Configurations" section in Chapter 1, "Product Overview" for more information about how the MDM propagates zone configuration information using either synchronization or immediate distribution.

Note You must synchronize zone configuration information before you activate Protect to ensure that all of the Guards are using the same configuration information (for example, synchronizing the zone configuration with all of the zone devices is important when you add an IP address to the zone configuration).

When the MDM detects a synchronization error, it displays an (x) in the zone listed in the navigation pane. The error icon also displays in the navigation path located in the upper left of the Zone Summary screen.

Caution The MDM does not track changes that you make to a zone configuration using the device CLI or Web-Based Manager (WBM). For example, if you modify the zone configuration on a device (other than the zone master device) using the device CLI, the MDM does not know that a change has been made. The next time that the zone is synchronized, the master device zone configuration will overwrite the changes that you made to the configuration on the other device.

This section contains the following topics:

•Displaying or Modifying the Automatic Synchronization Parameters

•Excluding Zone Policies and Remote Guard Lists From Zone Synchronization

•Initiating Synchronization Manually

Displaying or Modifying the Automatic Synchronization Parameters

To display or modify the current MDM synchronization parameters of a zone, follow these steps:

Step 1 From the navigation pane, choose a zone. The zone menu appears.

Step 2 From the zone menu, choose Configuration > General. The zone General screen appears.

Step 3 Verify the current synchronization parameter settings displayed in the MDM Synchronization Parameters area of the General Configuration table.

Step 4 (Optional) Click Config to modify the synchronization parameter settings. The Config Zone Form screen appears.

Step 5 (Optional) Enable automatic synchronization by performing the following steps from the MDM Synchronization Parameters area:

•Define the Immediate synchronization triggers by checking one or both of the following check boxes:

–Before Manual Protection—When you manually activate Protect on the Guards, the MDM initiates synchronization before activating Protect. The default setting for this option is unchecked.

–After Manual Learning Accept—When you manually accept the results of a learning phase, the MDM initiates synchronization after it saves the results to the zone configuration on the master device. The default setting for this option is unchecked.

Note To configure a Detector for automatic synchronization before activating a Guard or after accepting the results of a learning phase, you must configure the Detector by entering the learning-params sync {accept | remote-activate} command in the CLI.

•Enable (or disable) the Synchronization Delay Time function:

–Never—Check this option if you do not want the MDM to automatically initiate synchronization after a zone configuration change.

–Minutes—Check this option to have the MDM wait a set number of minutes before initiating synchronization after a zone configuration change. Enter the number of minutes that you want the MDM to wait. The default is 5.

Step 6 (Optional) Disable automatic synchronization by unchecking all of the check boxes in the MDM Synchronization Parameters area.

Step 7 Click OK. The MDM saves the zone configuration changes on the master device.

Excluding Zone Policies and Remote Guard Lists From Zone Synchronization

You can perform a partial synchronization of the zone configuration when updating the zone devices with the information that resides on the zone master device. This feature allows you to exclude the following parameters when synchronizing a zone configuration:

•Zone policies—Exclude the zone policies configured on the master device to maintain a unique set of zone policies and policy thresholds on each zone device. When you exclude the zone policies, each zone device must perform the learning process (see Chapter 9, "Learning Zone Traffic and Taking Snapshots").

•Remote Guard lists—Exclude the list of remote Guards defined on the master device to maintain unique remote Guard lists on each zone Detector. When you exclude the remote Guard lists, you must define the lists on each zone Detector.

Note Using the CLI, you can configure the Detector with a global remote Guard list to activate the same Guards whenever any zone configured on the Detector is attacked. Refer to the appropriate Detector configuration guide listed in the "Related Documentation" section of the Preface.

See the "Managing Zone Configurations" section in Chapter 1, "Product Overview" for more information.

To exclude synchronizing zone polices or remote Guard lists, follow these steps:

Step 1 From the navigation pane, choose a zone. The zone menu appears.

Step 2 From the zone menu, choose Configuration > General. The zone General screen appears.

Step 3 Verify the current synchronization parameter settings displayed in the MDM Synchronization Parameters area of the General Configuration table. The Synchronization Extent field identifies whether to exclude the configuration of policies and to exclude all remote Guards (Detector only) when synchronizing the zone.

Step 4 Click Config (located below the first table) to modify the synchronization parameter settings. The Config Zone Form screen appears.

Step 5 Enable the partial synchronization feature by activating the following options in the Synchronization Exclusion section of MDM Synchronization Parameters:

•Check the Exclude Policies checkbox to instruct the MDM not to override the policies of the zone devices during the synchronization process. Check this option when you want to perform separate learning on each device and to preserve the results on a per-device basis.

When you configure the MDM to exclude the synchronization of policies that reside on the master device, you must configure the MDM Learning Parameters to enable each zone device to perform the learning process. See the "Modifying the Zone General Configuration Attributes" section in Chapter 5, "Creating and Configuring Zones" for details.

•Check the Exclude Remote Guards checkbox to instruct the MDM not to override the remote Guard list defined on each of the zone Detectors. When the Detectors detect an attack on the zone, each one activates a different list of remote Guards.

Note The Exclude Remote Guards option is available only when you associate two or more Detectors with the zone. This option does not display when the zone contains only a single Detector or all Guards.

When you configure the MDM to exclude from synchronization the remote Guard lists that reside on the master device, you must define a separate remote Guard list on each of the Detectors associated with the zone. See the "Managing the Remote Guard List on a Zone Detector" section in Chapter 5, "Creating and Configuring Zones" for details.

Step 6 Click OK. The MDM saves the zone configuration changes on the master device.

Initiating Synchronization Manually

To manually initiate synchronization, follow these steps:

Step 1 From the navigation pane, select an inactive zone. The zone menu appears.

Step 2 From the zone menu, choose Activation > Synchronization. The MDM initiates synchronization on the master device.

If an error occurs during synchronization, the MDM displays an error window and places an (x) next to the zone name in the navigation pane.

	Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.5)
	Resolving Conflicts and Synchronizing Zones
Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.5) Index Preface Product Overview Getting Started Managing Devices on the MDM Network Resolving Conflicts and Synchronizing Zones Creating and Configuring Zones Managing Zone Filters Managing Zone Policy Templates Managing Zone Policies Learning Zone Traffic and Taking Snapshots Activating Anomaly Detection and Zone Protection Monitoring Zone and Device Operations Troubleshooting Problems with the MDM	Download this chapter Resolving Conflicts and Synchronizing Zones Download the complete book Cisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.5), Book-Length PDF (PDF - 4 MB) Table Of Contents Resolving Conflicts and Synchronizing Zones Resolving MDM Database Conflicts Synchronizing Zone Configuration Information Displaying or Modifying the Automatic Synchronization Parameters Excluding Zone Policies and Remote Guard Lists From Zone Synchronization Initiating Synchronization Manually Resolving Conflicts and Synchronizing Zones This chapter describes how to use the Cisco DDoS MultiDevice Manager (MDM) to resolve zone configuration conflicts and to synchronize zone configuration information on the zone devices. The MDM maintains a local database that cross-references the devices that you define on the MDM device list with all of the zone configurations contained on each of the devices. A zone configuration conflict occurs when the zones associated with a device in the MDM database do not match the zones configured on the device. For example, the MDM would indicate that a conflict exists if you were to add a device to the MDM device list that you had previously configured with a zone using the device's CLI. To resolve this conflict, you would allow the MDM to update its database to show the association between the zone and the device. Synchronization is the process in which the MDM updates the zone devices with the zone configuration information that resides on the zone master device. Synchronization allows you to create or modify a zone configuration once on the master device and then update the other zone devices with the new information. You can manually initiate synchronization, or you can configure the MDM to perform the process automatically. Note This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device. This chapter contains the following sections: •Resolving MDM Database Conflicts •Synchronizing Zone Configuration Information Resolving MDM Database Conflicts To help manage the devices that you define on the MDM device list, the MDM maintains a database that shows the relationship between each device on the device list and the zones configured on each device. (The database contains the zone name only, not the complete zone configuration.) The MDM considers it a conflict when it detects any inconsistencies between the information in its database and the zones configured on a device. Conflicts can occur for the following reasons: •A zone exists on a device but is not associated with the device in the MDM database. This situation could occur for the following reasons: –The device contained zone configurations prior to you adding the device to the MDM device list. –After adding the device to the MDM device list, you create a zone directly on the device using the device's CLI or Web-Based Manager (WBM). •A zone is associated with a device in the MDM database, but the zone is not defined on the device. This conflict could occur if you were to delete the zone from the device using the device's CLI or WBM. The MDM does not automatically check for conflicts in the network. You must click the Conflict Resolution option from the Network Summary menu to enable the MDM to search the network for conflicts. Figure 4-1 provides an example of the information that the Conflicts Resolution screen displays and the options available for resolving any conflicts. This example shows only two of the four types of conflict tables that may display in this screen. The MDM displays a table only when a conflict exists that matches the conflict table type. Figure 4-1 Sample Conflict Resolution Screen To view all existing conflicts and resolve a conflict, follow these steps: Step 1 Access the Network Summary screen using the following methods: •From the navigation pane, click Network Summary. •From the information area located in the upper right hand corner, click Home. Step 2 From the Network Summary menu, choose Diagnostics > Conflict Resolution. The Conflicts Resolution screen appears, displaying all current conflicts. Depending on the conflicts that exist at the time, the MDM displays as many as four different types of conflict tables. Each table type is described in Step 3. Step 3 Resolve the desired conflicts using the options available with each of the conflict types: •Exits on Unassociated Devices—This conflict table displays when the MDM finds a zone on the indicated device (x), but the MDM database does not contain the zone, which means that the database cannot show an association between the zone and device. Click one of the following conflict resolution options for the MDM to perform: –Associate—Adds the zone name to its database and associates it with the indicated devices (x). The zone name displays in the navigation pane's zone list. –Remove—Deletes the zone from the device database. –Rename & Create—Leaves the existing zone on the MDM alone, but creates a copy of the zone under a new name, which you specify in a new window. The MDM adds the new zone name to its database and associates it with the indicated devices (x). The zone name displays in the navigation pane's zone list. •Missing from Devices—This conflict table displays when a zone exists in the MDM database, which shows an association between the zone and the indicated device (x); however, the zone does not exist on the indicated device. In this type of conflict, the zone either exists on the zone master device (minimum) or is missing from all of the zone devices, including the master device. Click one of the following conflict resolution options for the MDM to perform: –Add—Adds the zone to the device by initiating synchronization, in which the zone information residing on the zone master device is copied to the other zone devices. –Disassociate—Removes the zone-to-device association in its database. –Delete—Deletes the zone from its database. Delete is the only option available when the zone is missing from all of the zone devices, including the master device. •Missing from Master—This conflict table displays when a zone exists in the MDM database, which shows an association between the zone and the indicated device (x); however, the zone does not exist on the indicated devices. In this case, one zone is the zone master device. However, the zone does exist on at least one of the other zone devices. Click one of the following conflict resolution options for the MDM to perform: –Select Master—Allows you to choose another device (one with the zone information residing on it), as the master device. The MDM then initiates synchronization which enables the zone information that resides on the new zone master device to be copied to the other zone devices. –Restore—Copies the zone information from a zone device that you choose as the master device. •Multiple Inconsistency—This conflict table displays when a conflict exists that is a hybrid of the first two bulleted items (Exists on Unassociated Device and Missing from Devices). Click one of the following conflict resolution options for the MDM to perform: –Match Devices—Modifies the database to match the zone information on the devices. –Match MDM—Modifies the zone information on the devices to match the database. –Merge—Accepts all inconsistencies by updating its database with missing device association information and updating all of the devices with missing zone information. Synchronizing Zone Configuration Information Synchronization allows zone configuration information to be propagated from the master device to the other devices that you have associated with the zone configuration. This operation allows you to perform the following tasks: •Create a zone once on the master device and copy the zone configuration to the other zone devices. •Perform a full synchronization update of the zone devices, copying the entire zone configuration from the master device to each of the zone devices. •Perform a partial synchronization update of the zone devices, choosing to exclude the configured policies and/or the remote Guard list (Detector only) defined on the zone master device. •Resolve zone configuration conflicts between devices. During synchronization, the zone information that resides on the master device overwrites all of the existing configuration information that resides on the other zone devices unless you choose a partial synchronization to exclude zone policies and/or the remote Guard lists. The MDM allows you to initiate synchronization manually or you can configure the MDM to automatically initiate synchronization based on the occurrence of an event, such as when you accept the results of a learning phase on the master device. Synchronization between the master device and the zone devices occurs only when all of the zone devices are inactive. When the zones are active and you modify the zone configuration, the MDM uses the immediate distribution operation (not synchronization) to distribute just the modified information to each of the devices. This behavior is different from when the devices are in the inactive state, where the changes are downloaded to the master device and the configuration (entire or partial) is synchronized with the zone devices after a defined period of time has elapsed. See the "Managing Zone Configurations" section in Chapter 1, "Product Overview" for more information about how the MDM propagates zone configuration information using either synchronization or immediate distribution. Note You must synchronize zone configuration information before you activate Protect to ensure that all of the Guards are using the same configuration information (for example, synchronizing the zone configuration with all of the zone devices is important when you add an IP address to the zone configuration). When the MDM detects a synchronization error, it displays an (x) in the zone listed in the navigation pane. The error icon also displays in the navigation path located in the upper left of the Zone Summary screen. Caution The MDM does not track changes that you make to a zone configuration using the device CLI or Web-Based Manager (WBM). For example, if you modify the zone configuration on a device (other than the zone master device) using the device CLI, the MDM does not know that a change has been made. The next time that the zone is synchronized, the master device zone configuration will overwrite the changes that you made to the configuration on the other device. This section contains the following topics: •Displaying or Modifying the Automatic Synchronization Parameters •Excluding Zone Policies and Remote Guard Lists From Zone Synchronization •Initiating Synchronization Manually Displaying or Modifying the Automatic Synchronization Parameters To display or modify the current MDM synchronization parameters of a zone, follow these steps: Step 1 From the navigation pane, choose a zone. The zone menu appears. Step 2 From the zone menu, choose Configuration > General. The zone General screen appears. Step 3 Verify the current synchronization parameter settings displayed in the MDM Synchronization Parameters area of the General Configuration table. Step 4 (Optional) Click Config to modify the synchronization parameter settings. The Config Zone Form screen appears. Step 5 (Optional) Enable automatic synchronization by performing the following steps from the MDM Synchronization Parameters area: •Define the Immediate synchronization triggers by checking one or both of the following check boxes: –Before Manual Protection—When you manually activate Protect on the Guards, the MDM initiates synchronization before activating Protect. The default setting for this option is unchecked. –After Manual Learning Accept—When you manually accept the results of a learning phase, the MDM initiates synchronization after it saves the results to the zone configuration on the master device. The default setting for this option is unchecked. Note To configure a Detector for automatic synchronization before activating a Guard or after accepting the results of a learning phase, you must configure the Detector by entering the learning-params sync {accept \| remote-activate} command in the CLI. •Enable (or disable) the Synchronization Delay Time function: –Never—Check this option if you do not want the MDM to automatically initiate synchronization after a zone configuration change. –Minutes—Check this option to have the MDM wait a set number of minutes before initiating synchronization after a zone configuration change. Enter the number of minutes that you want the MDM to wait. The default is 5. Step 6 (Optional) Disable automatic synchronization by unchecking all of the check boxes in the MDM Synchronization Parameters area. Step 7 Click OK. The MDM saves the zone configuration changes on the master device. Excluding Zone Policies and Remote Guard Lists From Zone Synchronization You can perform a partial synchronization of the zone configuration when updating the zone devices with the information that resides on the zone master device. This feature allows you to exclude the following parameters when synchronizing a zone configuration: •Zone policies—Exclude the zone policies configured on the master device to maintain a unique set of zone policies and policy thresholds on each zone device. When you exclude the zone policies, each zone device must perform the learning process (see Chapter 9, "Learning Zone Traffic and Taking Snapshots"). •Remote Guard lists—Exclude the list of remote Guards defined on the master device to maintain unique remote Guard lists on each zone Detector. When you exclude the remote Guard lists, you must define the lists on each zone Detector. Note Using the CLI, you can configure the Detector with a global remote Guard list to activate the same Guards whenever any zone configured on the Detector is attacked. Refer to the appropriate Detector configuration guide listed in the "Related Documentation" section of the Preface. See the "Managing Zone Configurations" section in Chapter 1, "Product Overview" for more information. To exclude synchronizing zone polices or remote Guard lists, follow these steps: Step 1 From the navigation pane, choose a zone. The zone menu appears. Step 2 From the zone menu, choose Configuration > General. The zone General screen appears. Step 3 Verify the current synchronization parameter settings displayed in the MDM Synchronization Parameters area of the General Configuration table. The Synchronization Extent field identifies whether to exclude the configuration of policies and to exclude all remote Guards (Detector only) when synchronizing the zone. Step 4 Click Config (located below the first table) to modify the synchronization parameter settings. The Config Zone Form screen appears. Step 5 Enable the partial synchronization feature by activating the following options in the Synchronization Exclusion section of MDM Synchronization Parameters: •Check the Exclude Policies checkbox to instruct the MDM not to override the policies of the zone devices during the synchronization process. Check this option when you want to perform separate learning on each device and to preserve the results on a per-device basis. When you configure the MDM to exclude the synchronization of policies that reside on the master device, you must configure the MDM Learning Parameters to enable each zone device to perform the learning process. See the "Modifying the Zone General Configuration Attributes" section in Chapter 5, "Creating and Configuring Zones" for details. •Check the Exclude Remote Guards checkbox to instruct the MDM not to override the remote Guard list defined on each of the zone Detectors. When the Detectors detect an attack on the zone, each one activates a different list of remote Guards. Note The Exclude Remote Guards option is available only when you associate two or more Detectors with the zone. This option does not display when the zone contains only a single Detector or all Guards. When you configure the MDM to exclude from synchronization the remote Guard lists that reside on the master device, you must define a separate remote Guard list on each of the Detectors associated with the zone. See the "Managing the Remote Guard List on a Zone Detector" section in Chapter 5, "Creating and Configuring Zones" for details. Step 6 Click OK. The MDM saves the zone configuration changes on the master device. Initiating Synchronization Manually To manually initiate synchronization, follow these steps: Step 1 From the navigation pane, select an inactive zone. The zone menu appears. Step 2 From the zone menu, choose Activation > Synchronization. The MDM initiates synchronization on the master device. If an error occurs during synchronization, the MDM displays an error window and places an (x) next to the zone name in the navigation pane.
	© 1992-2008 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.